Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix macro for extracting local interactive users #11589

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
touch /home/$USER/.bashrc
chgrp 10005 /home/$USER/.bashrc
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "touch /home/\$user/.bashrc; chgrp 10005 /home/\$user/.bashrc"
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
touch /home/$USER/.bashrc
chown 10005 /home/$USER/.bashrc
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "touch /home/\$user/.bashrc; chown 10005 /home/\$user/.bashrc"

Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -M -s /sbin/nologin $USER
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "rm -rf /home/\$user"
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
echo "$USER" > /home/$USER/$USER.txt
chgrp 10005 /home/$USER/$USER.txt
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "echo \$user > /home/\$user/\$user.txt; chgrp 10005 /home/\$user/\$user.txt"
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
echo "$USER" > /home/$USER/$USER.txt
chown 10005 /home/$USER/$USER.txt
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "echo \$user > /home/\$user/\$user.txt; chown 10005 /home/\$user/\$user.txt"
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
echo "$USER" > /home/$USER/$USER.txt
chmod -Rf 700 /home/$USER/.*
chmod -f o+r /home/$USER/$USER.txt
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "echo \$user > /home/\$user/\$user.txt; chmod -Rf 700 /home/\$user/.*; chmod -f o+r /home/\$user/\$user.txt"
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
chgrp 10005 /home/$USER
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "chgrp 10005 /home/\$user"
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
chown 10005 /home/$USER
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "chown 10005 /home/\$user"
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
chmod 755 /home/$USER
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "chmod 755 /home/\$user"
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/bin/bash

USER="cac_user"
useradd -m -s /sbin/nologin $USER
echo "umask 022" >> /home/$USER/.bashrc
. "$SHARED/accounts_common.sh"

run_foreach_noninteractive_shell_account "echo 'umask 022' >> /home/\$user/.bashrc"
10 changes: 5 additions & 5 deletions shared/macros/10-oval.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -1179,7 +1179,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo

{{#
Extract from /etc/passwd a list of specified fields of local interactive users.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin and /bin/false shell.

Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object".

Expand Down Expand Up @@ -1220,7 +1220,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
regular expression which ensures that the third field in the entry
contains at least 4 digits (or more) and therefore the regular
expression doesn't match entries with values 999 or less. -->
<ind:pattern operation="pattern match">^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!\/sbin\/nologin)[^:]*$</ind:pattern>
<ind:pattern operation="pattern match">^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
<filter action="exclude">state_{{{ object_id }}}_users_ignored</filter>
</ind:textfilecontent54_object>
Expand All @@ -1235,7 +1235,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo

{{#
Extract from /etc/passwd a list of home directories of local interactive users.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin and /bin/false shell.

Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object".

Expand All @@ -1254,7 +1254,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo

{{#
Extract from /etc/passwd a list of User IDs of local interactive users.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin and /bin/false shell.

Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object".

Expand All @@ -1273,7 +1273,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo

{{#
Extract from /etc/passwd a list of Group IDs of local interactive users.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell.
The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin and /bin/false shell.

Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object".

Expand Down
16 changes: 16 additions & 0 deletions tests/shared/accounts_common.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#!/bin/bash

# for each noninteractive shell, create user account
# and eval ommands which are passed in as function arguments
function run_foreach_noninteractive_shell_account {
for shell in "/sbin/nologin" \
"/usr/sbin/nologin" \
"/bin/false" \
"/usr/bin/false"; do

user=cac_user${shell//\//_}
useradd -m -s $shell $user

eval "$*"
done
}
Loading